diff --git a/hosts/jaci/nixos/hardware-configuration.nix b/hosts/jaci/nixos/hardware-configuration.nix
index 5b06b82..9bc2807 100644
--- a/hosts/jaci/nixos/hardware-configuration.nix
+++ b/hosts/jaci/nixos/hardware-configuration.nix
@@ -43,10 +43,19 @@
   };
 
   # encrypted swap
-  boot.initrd.luks.devices."luks-a62778ac-3b3c-4eae-8713-1ab83f585608".device =
-    "/dev/disk/by-uuid/a62778ac-3b3c-4eae-8713-1ab83f585608";
+  boot.initrd.luks.devices."luks-a62778ac-3b3c-4eae-8713-1ab83f585608" = {
+    device = "/dev/disk/by-uuid/a62778ac-3b3c-4eae-8713-1ab83f585608";
+    keyFile = "/etc/secrets/swap.key";
+  };
 
-  swapDevices = [ { device = "/dev/mapper/luks-a62778ac-3b3c-4eae-8713-1ab83f585608"; } ];
+  # provide keyfile for swap
+  boot.initrd.secrets = {
+    "/etc/secrets/swap.key" = "/etc/secrets/swap.key";
+  };
+
+  swapDevices = [
+    { device = "/dev/mapper/luks-a62778ac-3b3c-4eae-8713-1ab83f585608"; }
+  ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's